CLI Tool Checks

Most checks on this page require external programs installed on your machine. If a tool is not found, the check returns skip — never an error. Install only the tools relevant to your stack.

The Database Schema Lint section at the bottom is a built-in pure Node.js provider — no external install required.

Tip

The extension uses where (Windows) or which (Unix) to pre-check binary availability before running — avoiding cryptic error messages from OS locale differences.

---

Semgrep — SAST Security

Runs semgrep scan --config auto — detects security vulnerabilities, OWASP Top 10, and code anti-patterns across 30+ languages.

Install:

pip install semgrep

Configure:

"devManager.quality.semgrep.enabled": true,
"devManager.quality.semgrep.config": "auto"

config options: "auto" | "p/security-audit" | path to a custom rules file.

---

Trivy — CVE Vulnerability Scanner

Scans dependencies, Dockerfiles, IaC configs, and secrets for known CVEs. Supports all major package ecosystems (npm, pip, cargo, go.mod, composer, gem, etc.).

Install:

Windows

winget install AquaSecurity.Trivy

macOS

brew install trivy

Linux

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Configure:

"devManager.quality.builtin.trivy.enabled": true,
"devManager.quality.builtin.trivy.failOnSeverity": "HIGH",
"devManager.quality.builtin.trivy.warnOnSeverity": "MEDIUM"

---

ESLint Security — JS/TS Security Rules (removed)

The standalone eslintSecurity provider was removed — install eslint-plugin-security and add it to your ESLint config; the main builtin-eslint provider will pick the rules up automatically.

npm i -D eslint-plugin-security

.eslintrc.json

{ "extends": ["plugin:security/recommended-legacy"] }

---

Bandit — Python Security

Static analysis tool for Python security issues (hardcoded passwords, SQL injection, unsafe deserialization, subprocess misuse, etc.).

Install:

pip install bandit

Configure:

"devManager.quality.builtin.bandit.enabled": true,
"devManager.quality.builtin.bandit.path": "bandit"

Auto-skips if no Python files are found in the project.

---

Bearer — Sensitive Data Flow Analysis

SAST scanner that tracks how sensitive data (PII, credentials, tokens) flows through your code. Detects data leaks, insecure storage, and compliance violations.

Linux/macOS only

Bearer has no native Windows binary. On Windows, install it inside WSL2 and set devManager.quality.builtin.bearer.path to the WSL binary path.

Install (macOS/Linux):

# macOS
brew install bearer/tap/bearer

# Linux
curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh

Configure:

"devManager.quality.builtin.bearer.enabled": true,
"devManager.quality.builtin.bearer.path": "bearer"

Windows (WSL2):

"devManager.quality.builtin.bearer.path": "wsl bearer"

---

jscpd — Copy-Paste Detection

Detects copy-pasted code blocks across the project. Supports 50+ languages.

Install:

npm i -D jscpd

Configure:

"devManager.quality.builtin.jscpd.enabled": true,
"devManager.quality.builtin.jscpd.threshold": 5,
"devManager.quality.builtin.jscpd.minLines": 5

threshold — duplication percentage to trigger a warning.

---

Knip — Dead Code Detection

Detects unused exports, files, and dependencies in JavaScript/TypeScript projects.

Auto-installed via npx — no manual install needed.

"devManager.quality.builtin.knip.enabled": true

---

dependency-cruiser — Circular Dependencies

Detects circular import chains in JavaScript/TypeScript projects. Supports custom .dependency-cruiser.js configuration.

Auto-installed via npx — no manual install needed.

"devManager.quality.builtin.dependencyCruiser.enabled": true

---

Package Audit — CVE Scan via Package Managers

Runs your language’s native vulnerability audit:

Language	Command
Node.js	npm audit / pnpm audit / yarn audit
Python	pip-audit
Rust	cargo audit
Ruby	bundle audit
Go	govulncheck
PHP	composer audit

Configure:

"devManager.quality.builtin.pkgAudit.enabled": true

Automatically detects the right tool from your lockfile.

---

Outdated Dependencies

Shows packages with newer versions available.

"devManager.quality.builtin.outdatedDeps.enabled": true

---

License Compliance — license-checker

Lists all dependency licenses and warns on restrictive ones (GPL, AGPL, LGPL, unknown).

Auto-installed via npx — no manual install needed.

"devManager.quality.builtin.licenseCheck.enabled": true

---

Hadolint — Dockerfile Linting

Lints Dockerfiles for best-practice violations and security issues.

Install:

Windows

winget install hadolint

macOS

brew install hadolint

Linux

curl -sL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 \
  -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint

"devManager.quality.builtin.hadolint.enabled": true

Scans all Dockerfile and Dockerfile.* files found in the project tree.

---

ShellCheck — Shell Script Linting

Static analysis for Bash/sh scripts — detects bugs, portability issues, and style problems.

Install:

Windows

winget install koalaman.shellcheck

macOS

brew install shellcheck

Linux

sudo apt install shellcheck

"devManager.quality.builtin.shellcheck.enabled": true

---

golangci-lint — Go Linting

Aggregates 100+ Go linters in a single fast run. Only activates when a go.mod file is found.

Install:

macOS

brew install golangci-lint

Windows

winget install golangci-lint

Go install

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

"devManager.quality.builtin.golangciLint.enabled": true,
"devManager.quality.builtin.golangciLint.warnAt": 5,
"devManager.quality.builtin.golangciLint.failAt": 20

---

Stryker — Mutation Testing

Runs mutation tests to measure how well your test suite catches bugs. Only for JavaScript/TypeScript projects.

Caution

Stryker is disabled by default — it can be slow on large projects.

Install:

npm i -D @stryker-mutator/core @stryker-mutator/jest-runner

"devManager.quality.builtin.stryker.enabled": false

---

TypeScript Check — tsc

Runs npx tsc --noEmit in the directory where tsconfig.json is found (project root or immediate subdirectory). Parses compiler diagnostics into the Quality Hub result.

Install: add TypeScript to the project (or ensure typescript is available to npx).

npm i -D typescript

Configure:

"devManager.quality.builtin.tscCheck.enabled": true

Auto-skips when there is no tsconfig.json.

---

YAMLlint — YAML syntax & style

Runs yamllint -f parsable on every .yml / .yaml file under the project (respecting Quality Hub skip directories).

Install:

pip install yamllint

Configure:

"devManager.quality.builtin.yamllint.enabled": true

---

Spectral — OpenAPI / AsyncAPI

Lints API specification files whose basename matches openapi*, swagger*, or asyncapi* with extension .yaml, .yml, or .json.

Install:

npm i -g @stoplight/spectral-cli

Configure:

"devManager.quality.builtin.spectral.enabled": true

---

Checkov — IaC security

Runs checkov -d <project> -o json when Terraform, Kubernetes YAML, CloudFormation, Dockerfile, or related IaC files are detected. Parses failed_checks from JSON output.

Install:

pip install checkov

Configure:

"devManager.quality.builtin.checkov.enabled": true

---

SQLFluff — SQL lint

Runs sqlfluff lint --format json on all .sql files. Uses project .sqlfluff when present; otherwise passes --dialect ansi.

Install:

pip install sqlfluff

Configure:

"devManager.quality.builtin.sqlfluff.enabled": true

---

Markdownlint — Markdown style

Prefers markdownlint-cli2 on **/*.md from the project root; falls back to markdownlint with an explicit file list if CLI2 is not installed.

Install:

npm i -g markdownlint-cli2

Configure:

"devManager.quality.builtin.markdownlint.enabled": true

---

Database Schema Lint (built-in, no install required)

A pure Node.js provider that auto-detects your ORM or schema format and runs 10 universal architecture rules. No external binaries needed.

Supported stacks: Prisma · Drizzle ORM · Django · SQLAlchemy · Rails (schema.rb) · Laravel (migrations) · EF Core (C#) · Go (GORM / ent / xorm) · Raw SQL

Rules checked:

Rule	What it detects
floatForMoney	Float/Real/Double columns on fields named price, amount, total, etc. — use Decimal instead
missingFkIndex	Foreign-key columns without a covering index
namingConvention	Inconsistent table/column naming (snake_case vs camelCase) or missing @@map in Prisma
largeModel	Models with more non-relation fields than maxFieldsPerModel (default: 30) — relation fields are excluded from the count
missingTimestamps	Models without createdAt / updatedAt (or ORM equivalents)
missingIdDefault	Primary-key fields without an auto-generation default (uuid(), autoincrement(), etc.)
reservedWords	Table or column names that are SQL reserved words
stringAsFk	String or UUID fields ending in Id, _id, ById, _by_id, Ref, _ref that have no declared relation or FK constraint — orphan data is possible
jsonWithoutDocs	JSON/JSONB columns without a documentation comment
cascadeWithoutSoftDelete	onDelete: Cascade relations on a model that has no soft-delete field (isDeleted/deletedAt) — deleted records are irrecoverable

Configure:

"devManager.quality.builtin.schemaLint.enabled": true,
"devManager.quality.builtin.schemaLint.floatForMoneySeverity": "fail",
"devManager.quality.builtin.schemaLint.namingConventionSeverity": "warn",
"devManager.quality.builtin.schemaLint.maxFieldsPerModel": 30,
"devManager.quality.builtin.schemaLint.requireTimestamps": true,
"devManager.quality.builtin.schemaLint.requireIdDefault": true,
"devManager.quality.builtin.schemaLint.checkReservedWords": true,
"devManager.quality.builtin.schemaLint.moneyFieldPatterns": ["turnover", "proceeds"],
"devManager.quality.builtin.schemaLint.disabledRules": []

---

No Manual Migrations

A built-in check that flags hand-written or hand-edited SQL migration files for Drizzle, Prisma, and Atlas projects. It runs in the full Quality Hub scan and, when realtime is enabled, re-runs on save and when watched files change. Each adapter skips when the toolchain is not detected or the CLI is missing.

Stack	What to install
Drizzle	drizzle-kit (usually npm i -D drizzle-kit) — primary path runs npx drizzle-kit generate into a temp out and diffs against your repo; falls back to drizzle-kit check / journal validation when regen cannot run
Prisma	prisma (usually npm i -D prisma) — uses npx prisma migrate diff (works with schema.prisma or a prisma/schema/ folder)
Atlas	The atlas CLI (e.g. winget install ariga.atlas on Windows) — uses atlas migrate validate

Configure:

"devManager.quality.builtin.noManualMigrations.enabled": true,
"devManager.quality.builtin.noManualMigrations.severity": "error",
"devManager.quality.builtin.noManualMigrations.adapters": ["drizzle", "prisma", "atlas"],
"devManager.quality.builtin.noManualMigrations.checkRemoved": true,
"devManager.quality.builtin.noManualMigrations.gitLookback": 50

Details: Built-in checks — No Manual Migrations →.

---

prisma-lint — Prisma Schema Conventions

Runs npx prisma-lint for Prisma-specific schema checks: model naming, field ordering, required indexes, and custom rule sets defined in .prismalintrc.

Install:

npm i -D prisma-lint

Configure:

"devManager.quality.builtin.prismaLint.enabled": true,
"devManager.quality.builtin.prismaLint.configPath": ""

Auto-skips when the project is not detected as a Prisma project (no prisma/@prisma/client in deps and no .prisma files found). Use configPath to point to a custom .prismalintrc file.

---

Squawk — PostgreSQL Migration Safety

Checks SQL migration files for unsafe PostgreSQL patterns: missing CONCURRENTLY on index creation, taking exclusive locks, backwards-incompatible ALTER TABLE changes, and more.

Install:

npm (global)

npm i -g squawk-cli

Cargo

cargo install squawk

Configure:

"devManager.quality.builtin.squawk.enabled": true,
"devManager.quality.builtin.squawk.postgresVersion": "14",
"devManager.quality.builtin.squawk.dataRisk": "warn",
"devManager.quality.builtin.squawk.requireDownMigration": false

Auto-skips when no .sql migration files are found. postgresVersion controls which PostgreSQL version rules are applied.

Extra rules (no squawk binary required for these): after Squawk runs, SnakeFlow adds a Node-only pass for risky DML / missing timeouts and optional down-migration pairing — see Built-in checks — Squawk extras.

---

Atlas — Migration Linter

Runs atlas migrate lint with 50+ built-in analyzers: destructive changes, irreversible operations, backward compatibility, lock issues, and more. Supports PostgreSQL, MySQL, SQLite, SQL Server, and more.

Install:

Windows

winget install ariga.atlas

macOS

brew install ariga/tap/atlas

Linux / curl

curl -sSf https://atlasgo.sh | sh

Configure:

"devManager.quality.builtin.atlas.enabled": true,
"devManager.quality.builtin.atlas.path": "atlas"

Auto-skips when no migration directory is found. Directories checked: migrations/, migration/, prisma/migrations/, db/migrations/, database/migrations/, src/migrations/, app/migrations/ (and one level deep for monorepos). Use path to point to a non-default atlas binary location.